[Opensim-users] Banning "bad" viewers was Re: Can this be done?

Anders Arnholm Anders at Arnholm.se
Wed Jan 13 09:45:32 UTC 2010 

On Tue, Jan 12, 2010 at 04:55:10PM -0800, John Ward wrote:

> account in the first place, another similar layer.  If a grid operator 
> wants a little better protection by checking the string the client 
> identifies itself with would seem a reasonable additional layer.

The grid operator may give any stupid ideas to the user, but i would not
call it security. Like there is no security in making a web-site that
only works in IE. If the operator calls this a security thing, it's
obvius that person don't know squat about security or is lieing. Either
case lowers the trust for the operator to me.

> So, is the system secure?  If one's goal was to prevent casual 
> non-compliance then it probably is reasonably secure.  If one wants to 
> prevent anyone from ever running a bad client on their grid then one's 
> grid is not secure.
> 
> "Security through obscurity" is quite valid.  That's why we (hopefully) 
> choose obscure passwords. If one understands what the obsfucation gets 
> them then is just another layer.

A good random passphase is not security by obsurity. It's a part of
authentication of the user. In security reserach one have identified
three elemetrs thet is needed for an authenitcation of a person.
"ownership", "knowledge" and "inherence". The passphase is the
"knowledge" part, the harder something is to know the better thius leg
of authentication. For example we couls say it you in phone can state
when year you are born, I think you are you. This knowledge is quite
easy for someone else to figure out so this leg is quite easy to break.
By makeing the knowledge some kind of long obsure string I made up my
self. It's much harder for someone else to figure this out and the trust
is me is me gets better, Still is just the knowledge element. To make a
good authentication one need atleast two elements. verifying the two
other elements of authenitcation over the internet is almost impossible
even if some atemts have been done.

The passphase only lets you to some extent be sure of the person in the
other end is the person he or she clames to be. It have nothing with
securing what he or she can do.

> I think having lots of easy to setup and use layers is a good thing even 
> when some of them are easily defeated. :-)

The big risk is that no security chain is stronger that it's weakest
link. And having a loot of staong links in one part makes the user feel
secure. Feeling secure whan one isn't could be fatal.

(( Talking security is a foregin language is kind of hard, I could have
slipped on the terms as thet don't match 1-to-1 to swedish. ))

-- 
      o_   Anders Arnholm,
 o/  /\    anders at arnholm.se
/|_, \\    http://anders.arnholm.se/
/
`
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://opensimulator.org/pipermail/opensim-users/attachments/20100113/890b11dd/attachment.pgp>

More information about the Opensim-users mailing list